We proposed in the NPRM to grant individuals a right to receive an accounting of all disclosures of protected health information about them by a covered entity for purposes other than treatment, payment, and health care operations. We proposed this right to exist for as long as the covered entity maintained the protected health information.
We also proposed that individuals would not have a right to an accounting of disclosures to health oversight or law enforcement agencies if the agency provided a written request for exclusion for a specified time period and the request stated that access by the individual during that time period would be reasonably likely to impede the agency's activities.
We generally retain the proposed approach in the final rule. As in the proposed rule, individuals have a right to receive an accounting of disclosures made by a covered entity, including disclosures by or to a business associate of the covered entity, for purposes other than treatment, payment, and health care operations, subject to certain exceptions as discussed below.
We revise the duration of this right under the final rule. Individuals have a right to an accounting of the applicable disclosures that have been made in the 6 year period prior to the date of a request for an accounting. We additionally clarify in § 164.528(b)(1) that an individual may request, and a covered entity may then provide, an accounting of disclosures for a period of time less than 6 years from the date of the request. For example, an individual could request an accounting only of disclosures that occurred during the year prior to the request.
In the final rule, we exclude several additional types of disclosures from the accounting requirement. Covered entities are not required to include in the accounting disclosures to the individual as provided in § 164.502; disclosures for facility directories, disclosures to persons involved in the individual's care, or other disclosures for notification purposes as provided in § 164.510; disclosures for national security or intelligence purposes as provided in § 164.512(k)(2); disclosures to correctional institutions or law enforcement officials as provided in § 164.512(k)(5); or any disclosures that were made by the covered entity prior to the compliance date of the rule for that covered entity.
We retain the time-limited exclusion for disclosures to health oversight and law enforcement agencies, but require rather than permit the exclusion for the specified time period. Covered entities must exclude disclosures to a health oversight agency or law enforcement official from the accounting for the time period specified by the applicable agency or official if the agency or official provides the covered entity with a statement that inclusion of the disclosure(s) in the accounting to the individual during that time period would be reasonably likely to impede the agency or official's activities. The agency or official's statement must specifically state how long the information must be excluded. At the expiration of that period, the covered entity is required to include the disclosure(s) in an accounting for the individual. If the agency or official's statement is made orally, the covered entity must document the identity of the agency or official who made the statement and must exclude the disclosure(s) for no longer than 30 days from the date of the oral statement, unless a written statement is provided during that time. If the agency or official provides a written statement, the covered entity must exclude the disclosure(s) for the time period specified in the written statement.